autodrop 0.1.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/ChangeLog +13 -0
- data/LICENSE +24 -0
- data/Rakefile +31 -66
- data/autodrop +321 -0
- data/autodrop.conf.default +24 -0
- data/autodrop.rb +321 -0
- data/autodrop.sh +19 -0
- data/autodrop.txt +66 -0
- metadata +47 -41
- data/bin/autodrop +0 -202
- data/bin/autodrop.rb +0 -202
- data/conf/autodrop.conf.default +0 -17
- data/doc/README.jp.txt +0 -164
- data/doc/README.txt +0 -165
- data/misc/autodrop.sh +0 -18
data/doc/README.txt
DELETED
|
@@ -1,165 +0,0 @@
|
|
|
1
|
-
autodrop README
|
|
2
|
-
|
|
3
|
-
NOZAWA Hiromasa, Tokyo Japan
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
= About
|
|
7
|
-
|
|
8
|
-
Autodrop is a daemon, observes syslog logs and forbid accesses from
|
|
9
|
-
remote hosts who continue wrong attempt to our host like knocking port
|
|
10
|
-
22 for 100,000,000 times a day. Autodrop uses iptables(8) and named
|
|
11
|
-
pipe from syslogd.
|
|
12
|
-
|
|
13
|
-
Autodrop adds DROP rule into iptables' INPUT table for the remote host
|
|
14
|
-
which generates log messages matched with same reguler expression more
|
|
15
|
-
than specified times in specified interval.
|
|
16
|
-
|
|
17
|
-
Multiple regular expression can be specified by config file. Also
|
|
18
|
-
matching count threshold and interval time to continue counting can be
|
|
19
|
-
customizable.
|
|
20
|
-
|
|
21
|
-
Autodrop watches a named pipe and not neither does polling nor stat(2)
|
|
22
|
-
on many log files. You need syslogd which can output logs to named
|
|
23
|
-
pipe.
|
|
24
|
-
|
|
25
|
-
Autodrop is written in Ruby scripting language then surely it will not
|
|
26
|
-
suit for very high traffic sites. However it works well to shut out
|
|
27
|
-
port 22 knockers for my small site.
|
|
28
|
-
|
|
29
|
-
Using autodrop can also shut out yourself from your host. Be careful.
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
= Requirement
|
|
33
|
-
|
|
34
|
-
* linux box (for iptables)
|
|
35
|
-
* syslogd (can output logs to named pipes)
|
|
36
|
-
* ruby 1.8.6 or later (I have not run autodrop on other versions)
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
= Licence
|
|
40
|
-
|
|
41
|
-
BSD
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
= Install
|
|
45
|
-
|
|
46
|
-
After doing 'gem install', you need to write config file.
|
|
47
|
-
Fix #! line in the script if necessary.
|
|
48
|
-
|
|
49
|
-
*1. gem install autodrop
|
|
50
|
-
|
|
51
|
-
*2. cd <GEMDIR>/gems/autodrop-x.x.x/conf
|
|
52
|
-
|
|
53
|
-
*3. sudo cp autodrop.conf.default /etc
|
|
54
|
-
|
|
55
|
-
*4. Edit /etc/autodrop.conf
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
= Usage
|
|
59
|
-
|
|
60
|
-
== Start
|
|
61
|
-
|
|
62
|
-
------------------------------
|
|
63
|
-
$ sudo ruby autodrop.rb
|
|
64
|
-
------------------------------
|
|
65
|
-
|
|
66
|
-
Default config file is /etc/autodrop.conf .
|
|
67
|
-
Another config file can be specified from command line.
|
|
68
|
-
|
|
69
|
-
------------------------------
|
|
70
|
-
$ ruby autodrop.rb -c /foo/bar/autodrop.conf
|
|
71
|
-
------------------------------
|
|
72
|
-
|
|
73
|
-
== Stop
|
|
74
|
-
|
|
75
|
-
------------------------------
|
|
76
|
-
$ sudo kill `cat /var/run/autodrop.pid`
|
|
77
|
-
------------------------------
|
|
78
|
-
|
|
79
|
-
== When Running
|
|
80
|
-
|
|
81
|
-
Autodrop itself also outputs syslog logs with prefix 'autodrop' when
|
|
82
|
-
started, stopped and each occurrences of DROP.
|
|
83
|
-
|
|
84
|
-
After running autodrop, iptables's INPUT table will filled with DROP
|
|
85
|
-
rules in few weeks or months but autodrop does not have ability to
|
|
86
|
-
clear them. Please do it by your hand when it required.
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
= autodrop.conf
|
|
90
|
-
|
|
91
|
-
All variables are not omit-able.
|
|
92
|
-
These are Ruby's constant variables.
|
|
93
|
-
|
|
94
|
-
* MESSAGES_TO_WATCH
|
|
95
|
-
|
|
96
|
-
Array of regular expressions.
|
|
97
|
-
Each expression must have $1 and it must match an IP address.
|
|
98
|
-
|
|
99
|
-
------------------------------
|
|
100
|
-
MESSAGES_TO_WATCH =
|
|
101
|
-
[
|
|
102
|
-
# OpenSSH's
|
|
103
|
-
/Invalid user [^\s]+ from (.+)/,
|
|
104
|
-
/Address (.+) maps to.*POSSIBLE BREAK-IN ATTEMPT!/,
|
|
105
|
-
]
|
|
106
|
-
------------------------------
|
|
107
|
-
|
|
108
|
-
* COUNT_MAX
|
|
109
|
-
|
|
110
|
-
Matching count to do DROP.
|
|
111
|
-
|
|
112
|
-
------------------------------
|
|
113
|
-
COUNT_MAX = 3
|
|
114
|
-
------------------------------
|
|
115
|
-
|
|
116
|
-
* INTERVAL
|
|
117
|
-
|
|
118
|
-
Interval time to continue counting for a remote host matched
|
|
119
|
-
to a pattern. Specify in seconds.
|
|
120
|
-
Each interval timers are reset on each matches.
|
|
121
|
-
|
|
122
|
-
------------------------------
|
|
123
|
-
INTERVAL = 10
|
|
124
|
-
------------------------------
|
|
125
|
-
|
|
126
|
-
* IPTABLES_PROGRAM
|
|
127
|
-
|
|
128
|
-
iptables(8) command path.
|
|
129
|
-
|
|
130
|
-
------------------------------
|
|
131
|
-
IPTABLES_PROGRAM = '/sbin/iptables'
|
|
132
|
-
------------------------------
|
|
133
|
-
|
|
134
|
-
* PIDFILE
|
|
135
|
-
|
|
136
|
-
PID file path.
|
|
137
|
-
|
|
138
|
-
------------------------------
|
|
139
|
-
PIDFILE = '/var/run/autodrop.pid'
|
|
140
|
-
------------------------------
|
|
141
|
-
|
|
142
|
-
* WATCH_FIFO
|
|
143
|
-
|
|
144
|
-
Named pipe path to watch.
|
|
145
|
-
|
|
146
|
-
------------------------------
|
|
147
|
-
WATCH_FIFO = '/var/log/authfifo'
|
|
148
|
-
------------------------------
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
= Example: syslogd configuration
|
|
152
|
-
|
|
153
|
-
Create fifo,
|
|
154
|
-
------------------------------
|
|
155
|
-
mkfifo /var/log/authfifo
|
|
156
|
-
------------------------------
|
|
157
|
-
and add it to your syslog.conf
|
|
158
|
-
------------------------------
|
|
159
|
-
authpriv.* |/var/log/authfifo
|
|
160
|
-
------------------------------
|
|
161
|
-
|
|
162
|
-
`|' means `out put logs to this pipe'.
|
|
163
|
-
See your syslog.conf(5) for more details.
|
|
164
|
-
|
|
165
|
-
#eof
|
data/misc/autodrop.sh
DELETED
|
@@ -1,18 +0,0 @@
|
|
|
1
|
-
#!/bin/sh
|
|
2
|
-
|
|
3
|
-
AUTODROP=/usr/local/sbin/autodrop
|
|
4
|
-
CONF=/etc/autodrop.conf
|
|
5
|
-
PIDFILE=/var/run/autodrop.pid
|
|
6
|
-
|
|
7
|
-
case "$1" in
|
|
8
|
-
start)
|
|
9
|
-
$AUTODROP -c $CONF
|
|
10
|
-
;;
|
|
11
|
-
stop)
|
|
12
|
-
kill -TERM `cat ${PIDFILE}`
|
|
13
|
-
;;
|
|
14
|
-
*)
|
|
15
|
-
echo "usage: $0 { start | stop }" >&2
|
|
16
|
-
exit 1
|
|
17
|
-
;;
|
|
18
|
-
esac
|